- From: Jeff Sonstein <jeffs@it.rit.edu>
- Date: Tue, 19 May 2009 07:56:01 -0400
- To: Adam Connors <adamconnors@google.com>
- Cc: public-bpwg@w3.org
On May 19, 2009, at 7:44 AM, public-bpwg@w3.org wrote: > There is a BP in the MWABP which states you shouldn't directly > eval() JSON data but should use a JSON parser instead for security > reasons... We came to this point after a number of more nuanced > iterations. However, feedback from a colleague in the office who did > some benchmarking suggests that JSON parsing is approx. * 10 slower > than direct eval(). So... I don't think we can really make a BP that > would require an app to run * 10 slower than it has to... well it would just be the "get and parse remote data" part which would run slower... the rest of the app should not be effected I would think > I propose: > > * Would somebody please volunteer to verify this figure and see if > it is still true. It was true on iPhone 1 and the gap may have > narrowed in 2.x, Android, or other platforms... someone who has other-than-iPhones avail should probably do this > * If the gap has narrowed we should keep things as they are and > offer some comment on relative performance eval vs json parsing. even if the gap is that bad and has not narrowed this still seems an appropriate thing to do > * If the gap hasn't closed I propose that we change this BP to state > that the preferred option is to use eval() but only on trusted data makes sense either way do you have a link to a benchmark? jeffs -- "By the time you swear you're his, Shivering and sighing, And he vows his passion is Infinite, undying - Lady, make a note of this: One of you is lying." - Dorothy Parker - ============ Prof. Jeff Sonstein http://www.it.rit.edu/~jxs/ http://ariadne.iz.net/~jeffs/ http://chw.rit.edu/blog/ http://ariadne.iz.net/~jeffs/jeffs.asc http://www.it.rit.edu/~jxs/emailDisclaimer.html
Received on Tuesday, 19 May 2009 11:57:04 UTC